[Owasp-topten] Who Are the Initial Six Sampled?

Christian Heinrich christian.heinrich at cmlh.id.au
Thu May 30 03:54:03 UTC 2013


Neil,

I am not concerned with what ultimately become the entries of the
OWASP Top Ten rather I the area of concern is that the methodology is
repeatable and the resulting entries are removed from bias.

These are simple tasks which would resolve the conflict related to
hearsay for the selection of entities for the OWASP Top Ten.

The core issue is that this is now the forth release and Aspect
Security have done nothing to address the issues raised during this or
the last two releases (I have excluded 2005) and are expecting that
the fourth will be accepted without resistance from the OWASP Board
(which Aspect Security also hold membership too and this is a clear
conflict of interest also).

The same questions around bias for A9 woud also be asked in relation
to http://blog.diniscruz.com/2013/01/should-mass-assignment-be-owasp-top-10.html
too due to the large number references intended to promote 02.

On Thu, May 30, 2013 at 10:51 AM, Neil Smithline
<neil.smithline at owasp.org> wrote:
> First, I apologize for taking your statements out of context. That was not
> my intent.
>
> I believe you are implying that objective statistics aren't of use when used
> in combination with subjective viewpoints. I disagree. Regarding the T10, I
> view subjective opinions as being an adjunct to the objective stats. It
> sounds like we have two different views of the right combination of
> subjective and objective input to the T10. That's fine. We can have
> different opinions.
>
> I disagree with your statement that the T10 had to change with the addition
> of new data sets. This disagreement seems natural as I seem to be more
> accepting of the subjective input than you. In general, I think that we
> could find many details where my being more forgiving about the exact
> numbers than you leads to a difference of opinion. This seems unavoidable
> given our different viewpoints.
>
> Also, and here is where a lot of subjective input comes into play, the T10
> is not supposed to be a post mortem of what has plagued web security for the
> past N years. Rather, it is supposed to be a guide to app sec for the next N
> years. In anticipation of your question, I know that nobody has a crystal
> ball. The T10 is just best guess or, if you prefer, subjective.
>
> I think that Mass Assignment vulnerabilities are a good example for adding
> subjective to the objective. I imagine (and I've not looked at stats - this
> is just an example) that there have been many large breaches due to Mass
> Assignment vulnerabilities in the past year or so. That said, IMO, the Mass
> Assignment stats are irrelevant to the future and Mass Assignment should not
> be in the T10.
>
> As the Mass Assignment vulnerabilities were typically in large frameworks
> that have addressed the issues, Mass Assignment is uninteresting because it
> is yesterday's news and not tomorrow's. You may disagree. That's fine.
>
> If you disagree enough, perhaps you'd like to start a new project that is a
> post mortem of the 10 most problematic web app sec issues for the past N
> years based 100% on objective stats. It is easy to start new projects in
> OWASP's open model. Even I've started a new project. Alas, it seems that
> starting a project is much simpler than making forward progress on it :-(
>
> Thanks for talking this out Christian. At least for me, this discussion has
> helped me clarify my thoughts. I hope it did the same for you.

-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-topten mailing list